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Abstract. This report presents the tool COMICS 1.0, which performs 
model checking and generates counterexamples for DTMCs. For an input 
DTMC, COMICS computes an abstract system that carries the model 
checking information and uses this result to compute a critical subsystem, 
which induces a counterexample. This abstract subsystem can be refined 
and concretized hierarchically. The tool comes with a command-line 
version as well as a graphical user interface that allows the user to 
interactively influence the refinement process of the counterexample. 

1 Introduction 

Discrete-time Markov chains (DTMCs) are widely used to model safety-critical 
systems with uncertainties. Model checking probabilistic computation tree logic 
(PCTL) p] properties can be performed by prominent tools like Prism [2] and 
Mrmc [3]. Unfortunately, the implemented numerical methods do not provide 
diagnostic information in form of counterexamples, which are very important for 
debugging and are also needed for CEGAR frameworks 0J- 

Although different approaches were proposed for probabilistic counterexamples 
([5 6 7 8 9 ), there is still a lack of efficient and user- friendly tools. To fill this 
gap, we developed the tool COMICS (Computing Minimal Counterexamples), 
supporting SCC-based model checking [TU] and, in case the property is violated, 
the automatic generation of abstract counterexamples [5] , which can subsequently 
be refined either automatically or guided by the user. 

While most approaches represent probabilistic counterexamples as sets of 
paths, we use (hierarchically abstracted) subgraphs of the input DTMC, so-called 
critical subsystems. This allows for a much more compact representation and a 
significant decrease in the computational complexity. The user can refine abstract 
critical subsystems hierarchically by choosing system parts of interest which are 
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to be concretized and further examined. All computation steps of the hierarchical 
counterexample refinement can be guided and revised. Though refinement can 
be done until a fully concrete counterexample is gained, it seems likely that the 
user can gain sufficient debugging information from abstract systems considering 
real- world examples with millions of states. The tool comes with a graphical user 
interface (GUI) which permits the visualization and reviewing of existing test 
cases and the creation of random examples as well as new test cases. 

The implemented methods result in substantial improvements regarding the 
size and the number of computation steps for the generation of probabilistic 
counterexamples. The only other available tool we are aware of is DiPro [llj . 
However, it does not support abstract counterexamples, which is crucial for the 
handling of large systems. It also does not allow the user to influence the search 
process by using his or her expertise. Comparative experiments show that we 
can compute reasonably smaller counterexamples in shorter time with our tool. 

In Section [2] we recall some preliminaries regarding DTMCs and counterex- 
amples. In Section [3] we give a brief introduction to the methods implemented 
in our tool. We describe the features and architecture in Section [4] and report 
on some benchmarks . We conclude the paper in Section [5] The tool, a detailed 
manual, and a number of benchmarks are available at the COMICS websitq^l 



2 Preliminaries 

In this section we give some basic foundations. See [H] for more details. 

Definition 1. Assume a set AP of atomic propositions. A discrete-time Markov 
chain (DTMC) is a tuple M = (S, I, P, L) with a non-empty finite state set S , 
an initial discrete probability distribution I : S — > [0, 1] with ^2 seS I{s) — 1, a 
transition probability matrix P : S X S — > [0, 1] with ~^2 s , eS P(s, s') = 1 for all 
s G S, and a labeling function L : S — > 2 AP . 

Assume in the following a set AP of atomic propositions and a DTMC 
M=(S,I,P,L). 

We say that there is a transition from a state s €E S to a state s' £ S iff 
P(s, s') > 0. A path of M is a finite or infinite sequence ir — sqSi ... of states 
Si e S such that P(sj, s i+ i) > for all i. We say that the transitions (st, Sj+i) are 
contained in the path 7r, written (sj, Si+i) G n. We write Paths in t for the set of 
all infinite paths of M, and Paths in f(s) for those starting in s £ S. Analogously, 
Paths' is the set of all finite paths of M, Paths fi n (s) of those starting in s, and 
Paths¥ n (s,t) of those starting in s and ending in t. A state t is called reachable 
from another state s iff Paths fi n (s,t) 7^ 0. 

A state set S' C S is called absorbing in M iff there is a state in S' from 
which no state outside S' is reachable in M. We call S' bottom in M if this holds 
for all states in S'. States s € S with P(s, s) = 1 are also called absorbing states. 
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We call M loop-free, if all of its loops are self-loops on absorbing states. A set 
S' C S is strongly connected in M iff for all s, t G S' there is a path from s to t 
visiting states from S' only. A strongly connected component (SCC) of M is a 
maximal strongly connected subset of S. 

The probability measure for finite paths ir G Paths is defined by Prjjjj (71") = 
ri( s ,, ;5l+1 )e Tr - p (' s ^ s i+i)- For a set i? C Pathsf n of paths we have Prf n (R) = 
Pr fin( n ) with i?' = {tt e i? I Vtt' e iJ. tt' is no prefix of tt}. 

The syntax of probabilistic computation tree logic (PCTL) |13| is given bjQ 

Lp ::= p I I 93 A I P^a(<^ U <p) 

for (state) formulae with p G AP, A G [0, 1] C R, and - G {<, <, >, >}. We 
define the "finally" -operator (0) and the "globally" -operator □ in the usual way. 

For a property P<a (<fii U ip^) refuted by M, a counterexample is a set C C 
Paths fl n , Prfl n (C) > A of finite paths starting in an initial state and satisfying 
ipi U tfi2- For P<a {<Pi U (P2), the probability mass has to be at least A. We consider 
upper probability bounds only; see [S] for the reduction of lower bounds to this 
case. 

We reduce the problem of checking probabilistic until properties ¥<\ (ipi U ^2) 
to probabilistic reachability problems as follows: Each state of the DTMC M that 
satisfies (-^1 A ^^2) V tf 2 is made absorbing. Instead of checking P<a (ipi U \p2) 
for M, we check P<a 0^2 for the modified DTMC. The (^-states are also called 
target states. We concentrate on this reduced problem and assume DTMCs to 
have single initial and target states. Note, that each DTMC can be equivalently 
transformed w. r. t. an [/-formula to satisfy these requirements. 



3 Hierarchical Counterexamples 



In [TO] we proposed a model checking approach for DTMCs based on hierarchical 
abstraction. Each SCC of the underlying graph of the input DTMC is abstracted 
by a state whose outgoing transitions lead to states outside the SCC and carry 
the whole probability mass of reaching those states when once entering the SCC. 
This abstraction is done recursively in a bottom-up manner: before abstracting 
an SCC we first apply abstraction to the sub-SCCs nested in it. The final result is 
an abstract DTMC whose only transitions lead from the initial state of the input 
DTMC to absorbing states and carry the corresponding reachability probabilities. 



Fig. 1(a) depicts a DTMC and its nested SCC structure: SCC Si contains 
SCC Si. 1. The upper graph of Fig. 1(b) depicts the result of the model checking: 
The probability to reach the target state 3 from the initial state is 0.9. This 
hierarchically abstracted DTMC can be also hierarchically concretized. The lower 



graph of Fig. |l(b) shows the concretization of the abstract state sq: The outgoing 



edges of Si carry the probability mass of all paths leading from the input state 
4 of the SCC Si to the output states 3 and 7, respectively. Fig. l(c)| shows a 



4 In this paper we only consider unbounded properties. 
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Fig. 1. Example SCC-based model checking 

further concretization step: the state si is concretized while the SCC Si.i is 
still abstracted. Concretizing also the abstract state Si.% would result in the 
DTMC of Figure |l(a) Based on this approach, we presented in [5] a method 
to compute and represent counterexamples as critical subsystems, consisting of 
subsets of the original DTMC's states and transitions such that the probability of 
reaching target states from the initial state within the subsystem still exceeds the 
probability bound A. The method first computes an abstract critical subsystem for 
the abstract DTMC resulting from model checking. Inside this abstract DTMC 
one or more abstract states are selected and concretized, and a critical subsystem 
is determined for the concretized system. This process may be repeated until 
the system is fully concretized. We suggested two methods for the computation 
of critical subsystems: The global search (GS) looks for most probable paths 
through the whole system until the involved states and transitions form a critical 
subsystem. The local search (LS) builds critical subsystems incrementally by 
extending subsystems with most probable path fragments. 

Its application to benchmarks showed the competitiveness of the SCC-based 
model checking. Compared to other approaches, experiments for the counterex- 
ample generation revealed an improvement by several orders of magnitude in the 
number of paths needed to form the counterexample as well as in the number of 
involved states. 



4 The COMICS Tool 

COMICS can be used either as a command-line tool or with a GUI, the latter 
allowing the user to actively influence the process of finding a counterexample. 
We therefore distinguish between command-line mode and interactive mode. The 
program consists of approximately 20 000 lines of code. The GUI is implemented 
in Java, all other components in C++. The user may select exact or floating point 
arithmetics for the computations. 

In command-line mode, SCC-based model checking can be performed for an 
input DTMC and a PCTL property. If model checking reveals that the probability 
bound is exceeded, a counterexample can either be computed on the abstract 




Fig. 2. Screenshot of COMICS's GUI with an instance of the crowds protocol 



system and refined hierarchically or a counterexample can directly be computed 
on the concrete system. In the first case, heuristics for the number of states to 
be concretize in a single step as well as for the choice of states are offered. It 
is also possible to predefine the number of concretization steps. The user can 
choose between the counterexample representation as a set of paths and as a 
critical subsystem. In the first case, the tool uses the global search and computes 
a minimal counterexample as introduced in |6j. In the second case, both the 
global search and the local search can be applied. For measuring the performance 
of the particular functions, several predefined benchmarking options are provided. 

The interactive mode is based on the usage of the GUI. It provides a graph 
editor for specifying and modifying DTMCs. Several layout algorithms increase 
the usability even for large graphs. Both concrete and abstract graphs can be 
stored, loaded, abstracted, and concretized by the user. After calling SCC-based 
model checking, the resulting refinable abstract graph is visualized and the 
counterexample generation is invokable. As most important feature, the user 
is able to control the hierarchical concretization of a counterexample. Abstract 
states can either be concretized by the user or automatically by heuristics. If an 
input graph seems to be too large to display, the tool offers to operate without 
the graphical representation. 

Figure [2] shows one abstracted instance of the crowds protocol benchmark 
[T3j . where the probability of reaching the unique target state is displayed in the 
information panel on the right as well as on the edge leading from the initial state 
to the target state. The initial state is abstract and can therefore be expanded. 

The tool's five core software components are depicted in Figure [3j The 
functionalities and interactions are as follows: 

SccMC performs SCC-based model checking for an input DTMC. An abstract 

DTMC is returned either to Concretize or to GUI. 
Concretize decides based on either user preferences or heuristics if some nodes 

are to be concretized. The possibly modified system is returned to the GUI 

component for further user input or to CritSubSys. 




CritSubSys computes a critical subsystem using the global search or the local 
search. The resulting subsystem is given to Concretize for further refinement 
or returned as result. 

Path_Set uses the global search approach to compute a set of paths which 
forms a minimal counterexample. 

GUI provides the possibility to define DTMCs by their underlying graphs and 
to modify them using the JGraph library [15]. This component is connected 
both to SccMC and Concretize via Java Native Interface (JNI). 

The original explicit input format for DTMCs is adapted from Mrmc. For the 
abstract graphs we defined an XML-format which efficiently stores their tree-like 
hierarchical structure. Using XML-parsers, this allows for transferring the graph 
data between the different components and save it for later processing. An import 
of Mrmc input files is provided. Thus the export facilities of Prism allow us to 
test a large number of benchmarks offered on the PRISM- website [16] . 
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Fig. 4. Results for crowds and contract signing (TO > 2h) 



Fig. [4] provides a comparison with DiPro [IT] . We applied our tool using GS, 
LS and the fc-shortest path (fcSP) approach [6] to the crowds protocol and the 



probabilistic contract signing protocol [17] . For the models, we give the number of 
states, the number of transitions, the total probability of reaching target states, 
and the used probability threshold, which shall be exceeded by a counterexample. 

We measured the size of the counterexample (# states), the probability of 
reaching target states (prob.) and the computation time excluding the initial 
model checking. TO denotes timeout, MO out of memory and ERR wrong result. 
On the crowds protocol, GS performs best, while LS computes in general smaller 
counterexamples. kSP is the fastest method for contract signing, however, the 
representation of the result consists of a huge number of paths instead of a small 
subsystem of the input DTMC. 

5 Conclusion and Future Work 

We presented version 1.0 of our tool COMICS which generates abstract, hierarchi- 
cally refinable counterexamples for DTMCs. In the future, we want to integrate 
the computation of minimal critical subsystems [5] and the adaption of our ap- 
proaches to symbolic data structures. Currently we are working on an incremental 
version of the Dijkstra algorithm to improve the local search and on compositional 
counterexamples to increase the usability of debugging information, since Prism 
models are usually built by parallel composition. 

To speed-up the model checking process, we will connect our tool to Prism 
and Mrmc. 
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